The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-standing threats that may have evaded traditional detection methods.
YARA Rule
rule EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip {
meta:
description = "Detects EquationGroup Tool - April Leak"
author = "Florian Roth"
reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
date = "2017-04-15"
hash1 = "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6"
hash2 = "fcfb56fa79d2383d34c471ef439314edc2239d632a880aa2de3cea430f6b5665"
hash3 = "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29"
strings:
$s1 = "\\Registry\\User\\CurrentUser\\" fullword wide
$s2 = "\\DosDevices\\%ws" fullword wide
$s3 = "\\Device\\%ws_%ws" fullword wide
$s4 = "sys\\mstcp32.dbg" fullword ascii
$s5 = "%ws%03d%ws%wZ" fullword wide
$s6 = "TCP/IP driver" fullword wide
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and 4 of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as schtasks.exe running a scheduled job to clean temporary files or update system settings.
Filter/Exclusion: Check for ProcessName = schtasks.exe and CommandLine containing keywords like /create, /delete, or /run with known maintenance scripts.
Scenario: Windows Update or Patching Process
Description: The Windows Update service or wuauclt.exe executing updates, which may trigger similar behavior to the EquationGroup tool.
Filter/Exclusion: Filter by ProcessName = wuauclt.exe or ProcessName = windowsupdate.exe and exclude processes running during scheduled update windows.
Scenario: Admin Performing Disk Cleanup or Log Rotation
Description: An administrator using cleanmgr.exe or logrotate (on Linux) to clean up temporary files or logs, which may mimic the behavior of the EquationGroup tool.
Filter/Exclusion: Exclude processes with ProcessName = cleanmgr.exe or ProcessName = logrotate and check for administrative context or known cleanup scripts.
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus tool, such as msseces.exe (Microsoft Defender) or avgnt.exe, performing a full system scan that may trigger similar network or file activity.
Filter/Exclusion: Filter by ProcessName matching known antivirus executables and check for CommandLine containing scan-related keywords like /fullscan or /quickscan.
Scenario: Database Backup or Restore Job
Description: A database backup or restore process using tools like sqlbackup.exe or mongodump.exe, which may involve file operations or network activity similar to the EquationGroup tool.
*Filter/